Slashdot Mirror
Linux Kernel Exploit Busily Rooting 64-Bit Machines
An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."
I thought only windows got exploited this way.... oh thats right All OS's do.
Why does the summary and articles read like a paid advertisement for Ksplice?
Yes, there's an available rights escalation vulnerability in recent Linux Kernels that's best patched by updating your system with the latest updates. The breathless nature of the fine summary betrays an eagerness to get Linux admins to click the links before they've done so. I'd rather not. Social engineering is such a powerful exploit mechanism after all.
The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.
Help stamp out iliturcy.
This is a local exploit so I'm not horribly concerned and here is why.
You should always treat your systems as if an exploit already exists for both remote and local connections.
The systems I maintain are part of a bit of an elaborate network. There is a huge investment in controlling incoming and outgoing traffic as well as managing who actually has access to systems. While a local exploit a big deal it's not like there are a great number of places for users to inject this code. If someone could compromise an input vector and piggyback the exploit that still wouldn't get them very far. In fact, without knowing key details regarding the network infrastructure they would simply nab a host that could not reach the outside world.
With that said we do have a bit of reliance on lbs, traffic inspection, firewalls and a good bit of monitoring equipment. However, there is a solid investment in specific purpose network and security protocols to accomplish these goals. In a bit of a cheaper shop I'm wondering what others do to maintain security and get some of the same tools. (I'm being very vague about our setup intentionally, but there have to be some decent foss network tools as well).
If hostile users have local access, you're pretty much boned anyway.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
1. MS & Windows shills may laugh about this, but only because they feel your pain. Beyond that, what does making this statement even mean?
2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings
Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.
Besides that, this is an escalation vuln ... it's local, ok? Not a remote exploit. And, regardless of all that, there's already a fix, which was promptly released before this got out of hand.
So, between the ksplice assholes that abuse each vulnerability that is published to blow it out of proportion and somehow imply that if you require ksplice to patch this without loosing your job (I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime) ; and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Am I the only person who says "hell no" to running that "diagnosis" program? After looking through the code real quick, I have no interest whatsoever in running a program that performs the very exploit I'm supposed to be scared of, cuz I don't have time to make sure ksplite neutralized it properly. Also, since it's only a local exploit, I'm not concerned enough about it to run a diagnosis tool that implements it.
And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?
There is something to be said though about going to a 64bit operating system. The fact that there are a little more than twice as many general purpose registers in the CPU available means that code can be compiled to not need to do memory fetches anywhere near as often which means that the code will run faster. the extra addressing space has always been a red herring argument (e.g. i only need it if i have more than 4gb of ram).
A virus scanner isn't going to do much against a rootkit.
C'mon now. As others have pointed out, and has been mentioned earlier on /., this is a local root exploit. It's bad, it affects a lot of users (in theory), but to write this is to simply spread fear for most of those using Linux.
Why? Because the systems that inexperienced users run also happen to be those with a few, generally trusted users. Think netbooks. Sure, all local root exploits are bad and should be patched asap. But that doesn't mean "you're probably being rooted as I type this". It means that a remote attacker needs user-level privileges (say, with a browser or plugin vulnerability) first. Since Ubuntu and probably other major distros have already patched this, and the default settings for updates on these systems is to check fairly frequently, most end users will have the patched kernel quickly.
That leaves multi-user systems. The admins of these servers certainly benefit from finding out about the vulnerability asap, and they did (including through previous stories here). By now, though, most admins should have something in place if they don't have full trust in their users. If they don't, they should definitely be looking at whether this was exploited.
The bottom line is that there are many local root exploits which come out every year. This is the latest one, with a patch already available. Responsible admins of multi-user systems are used to dealing with this, and home users are almost certainly going to be patched before it causes any issues. For them, the latest Flash vulnerability is more worrisome. Even the extremely rare remote exploit of a service isn't usually an issue, since most modern distros don't start much of anything by default (including ssh, IIRC).
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
... until you get closer to 16GB of RAM and you start running out of lowmem (especially on older 2.4 kernel systems).
$ man woman *
-bash:
Tell us how great OSS is.
OSS is great... my Ubuntu machines were already patched a day before the first scare stories about this exploit appeared here on Slashdot.
Speaking from the grave I see, Mr. 979059. =D
Microsoft already felt the pain, because the Xbox 360 hypervisor got owned by the same exact hole . It would almost be the same instruction-by-instruction identical bug were it not for the fact that the 360 is a PowerPC system and this is an x86_64 hole. Yes, they, too, used a 32-bit compare to check the system call humber, then indexed into the array using the full 64 bits, exactly the same bug that caused this Linux hole.
Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.
While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.
quiet, children.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.
But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.
Rootkits do typically hide themselves -- but only so they aren't removed, so they can provide root access at a later date. Their primary function is to provide root access at a later date -- which this exploit does, according to the summary.
I used to have a 4 digit UID, but it was stolen by Ac1db1tch3z.
You don't necessarily need shell access, just the ability to run a binary as any user.
This could be done, for example, if it is a web server and there is a PHP script with a vulnerability. If a hacker can run arbitrary PHP code, then they can run code to accept an upload of the binary.
Once the binary is uploaded to a world-writable directory such as /tmp or /var/lib/php/sessions,
the hacker can use the ability to run arbitrary PHP code again to invoke fchmod(), make the binary executable then use the system's dynamic loader and execute the binary, as in
passthru("/lib/ld-linux.so.2 /path/to/some/exploit/binary");
post your ip address and root password and I'll check it for you.
Do you even lift?
These aren't the 'roids you're looking for.
Our UNIX admin has the philosophy that anyone with local access can get root if they want it bad enough. Security isn't done by presuming you've made that impossible. Rather security is done by making sure you don't give access to just anyone, and to monitoring what people do. Local escalation exploits are things to be fixed, since they can always make a remote exploit worse (someone exploits something remotely, gets unprivileged access, exploits the local exploit to get root) they aren't a critical threat usually.
However I will say you don't make things much better when you start with name calling with regards to Windows and the people that run it. That smacks of being the sort of asshole that knows little about the other platform that you are painting them to be. That you have a preferred platform is great. One would hope it is based on good reasons. However name calling on another platform indicates it is more likely based on zealotry than anything else.
Guys, come look, its Abraham!
Tell us how great OSS is.
Tell us how much better Linux is.
Tell us how badly Microsoft sucks.
I'm a PC, and using Windows instead of Linux was my idea.
I knew it was just a matter of time before Ballmer showed up as an AC on Slashdot.
I have 64 bit hardware but I run x86 based distros. 64 bit is only good for the extra ram maybe to the desktop user. And there still is a lot of issues getting older programs to run on a 64 bit distro.
The x86_64 architecture has more registers than i386 and can do some operations 64 bits at a time rather than 32 bits. This means that programs compiled to run on a 64 bit architecture are often significantly faster than those compiled to run on 32 bit architectures.
I think an average figure is 20% faster or so on the same hardware -- you get this simply by installing a 64 bit distribution and using 64 bit binaries. Your system can probably still run 32 bit binaries (if it has the right libraries) but they won't be faster.
The advantages go beyond a larger address space.
As a long time user I get the option to disable advertising. I don't. I even whitelist Slashdot in Adblock because I support the site and the banner ads are rarely obnoxious.
These poorly disguised articles-as-ads are quite annoying though. Just make KSplice pay for a banner like everyone else.
What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Is anything bad going to happen to you if you compile and run that C code? As far as I can tell, no.
You are very likely correct in thinking that adding yet another anonymous recommendation on the internet will make more people run the code. However, this is Slashdot, where the users are slightly more security aware than on an average internet site.
You see, If I were to attack all those nifty linux boxen out there, what would be a better attack vector than advertising your exploit on slashdot, which is known to accept almost anything on the front page, and yet is very likely to contain the biggest active linux user community on the nets? By looking at the code it seems obvious that the tool contains enough binary code to contain an exploit or three. If it is never used in a malicious way, it is somewhat difficult to say. So, outside a security lab setting, it is hard to tell if the provided code is not the exploit itself. Definitely "You are probably getting hacked right now! Check for viruses for free!" has been one of the more common attack vector against Windows users.
Whatever the case, I would not recommend running code that looks like this:
static char dis4blens4sel1nuxhayettgdr64545[] and
static int wtfyourunhere_heee(char *out_release, char* out_version)
Y'know, sometimes there are posts that are poignant, interesting, on-topic, and yet are modded down as a troll for no better reason than people who have mod points are more interested in squelching challenging ideas. That's fine, and slashdot has a mechanism to deal with that, called Karma.
Because I have good /. Karma I can call your attention to the parent post even though I believe it's been badly moderated. Because I'm a Slashdot subscriber, I get an extra point to add to this post, which calls attention to the parent. I have enough good Karma that even if this post is moderated a troll I will have lost nothing.
I'm making this amplifying post because the parent post was moderated down in one second. It was born silenced. Obviously there were moderators prepared to prevent you from hearing my response to the question asked. Some of you might for this reason alone find my words above meaningful or intriguing.
Help stamp out iliturcy.
no, you.
Just to clarify I understand that there are two zero day root-providing bugs. (Everyone talks about THE bug.)
CVE-2010-3301 patched by http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36d001c70d8a0144ac1d038f6876c484849a74de and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eefdca043e8391dcd719711716492063030b55ac
CVE-2010-3081 patched by http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c41d68a513c71e35a14f66d71782d27a79a81ea6
The situation appears to be exactly as described by Ksplice.
CVE-2010-3081 has been discussed on RedHat forums and elsewhere.
The Ac1db1tch3z exploit published on the full disclosure list http://seclists.org/fulldisclosure/2010/Sep/268
does indeed appear to contain a backdoor (0p3n1ng th3 m4giq p0rt4l).
From the comments, the vulnerability was found in 2008 and the exploit has been used by the author for some time, and may have been circulating in the underground. When the vulnerability was found and disclosed by Ben Hawkes, the exploit was published to a wider audience.
A number of sysadmins may well have run the exploit on their systems to prove to themselves that this was a real threat. In doing so they may unknowingly have left a backdoor.
More commonly, proof-of-concept exploits posted on full-disclosure lists are crafted by security researchers, do not contain backdoors, and are relatively easy to read. In this case, the disclosed exploit is crafted by a hacker, may well contain a backdoor, and is written with leetspeak runtime messages and obfuscated code.
I admit I do not fully understand the code in the exploit or in the detection tool, or indeed the nature of the backdoor. However, on a Fedora 9 system, running the detector says there is no backdoor. After the exploit is run, the detector says there is a backdoor, so
the exploit must have changed the state of the system in some way. The detector looks for 3 separate backdoors; the one on my
test system disappears after reboot. As I thought the fix was to update the kernel to a patched version, which requires a reboot, I'm not sure how the backdoor could survive. I do not see how having the backdoor is riskier than having an unpatched system.
I can say, though, that the vulnerability exists in stock kernels 2.6.25 - 2.6.36, and was back-ported by RedHat into 2.6.18 used /proc.
in RHEL 5 (hence CENTOS 5). As stated by others, an unprivileged user account is required in order to exploit the vulnerability, which exists only on 64-bit x86 systems which also can run 32-bit code. One published mitigation step, which does not require a reboot, is to disable 32-bit compatibility mode by writing into
post your ip address and root password and I'll check it for you.
127.0.0.1
hunter2
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
You are using the word in the layman sense, disregarding it's origins. Why do you think it's called rootkit? It's a term used to describe a "kit" of software that allows the attacker to regain root access later on. Patch login to always allow a second predefined password, drop it into place, and you have yourself a rootkit. The techniques that rootkits developed to hide themselves have been borrowed by malware, and the term has been usurped too (in a similar fashion to what happened to the word "bricked", which now seems to mean "requires a power cycling or re-flashing".
That doesn't make that usage correct.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Someone woke Methuselah - now there will be hell to pay!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The /. editors fall hook, line, and sinker for these advertisements for Ksplice submitted by an 'anonymous reader' every 6-8 weeks. Get used to them.
"What kind of music do pirates listen to?" -Paul Maud'dib
"Yeeeaaarrrrr n' Bee!!" -Stilgar, Leader of Sietch Tabr
Actually, the extra virtual memory space program-side is far more important than the extra physical memory space ever was. Typically, a 32-bit program is limited to 2GB of address space, including actually used ram, memory mapped files, reserved but unused pages (e.g. the stack growth area), memory mapped device memory (e.g. graphics mem) and the program and its dlls. Thanks to fragmentation of the address space by all of these, a program can fail to allocate memory without even getting close to 2GB of ram use. I could, as a proof of concept, write a program which will fail to allocate a 512MB block while only using kilobytes of ram, simply by requesting one 4kB memory page from every 512MB through the address space.
64-bit software resolves that problem (at least until we get programs trying to allocate exabytes of ram in one block)
Dude! - I am SO going to root my very own computer!
..........FULL STOP.
Obviously both copied from SCO. Namely their 64 bit code.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Would you kids get off my lawn?
Is it really difficult to understand?
Rootkit = software installed on a machine to serve some unsavoury purpose.
Backdoor = A method of accessing a system, generally hidden from the user and/or administrator of a machine
A rootkit can open a backdoor, but then so can poorly-configured machines, or kernel vulnerabilities. They are not the same.
Going to 64 bit means your instructions will be 64 bit, which means doubling the cache mem usuage.
Not true. x86 and x86_64 both use a variable-length instruction encoding. You actually get slightly better instruction density with x86_64, because a number of instructions that used to only work with eax now work with any target register, so for a couple of bits extra in the longer version of the instruction you avoid two register-to-register moves.
Pointers are 64-bit, but you'd need your program to consist entirely of pointers for this to double cache usage. In practice, you do see a small increase in data-cache usage, but it's offset by other things.
From performance point of view, if you don't really need 64 bits ( probably most of users will be fine with 4GB ram in next years) stay at 32 bits.
If we were talking about PowerPC or SPARC, you'd be (basically) correct. x86-64, however, is not just x86 with 64-bit pointers. It also gives you these other advantages:
I am TheRaven on Soylent News
I'm all in favor of x86_64, but as proven by one of dev blogs (no longer available) for a facebook-ish website using custom python code, it doesn't necessarily bring speedups/advantages everywhere. Their point was that python uses *a lot* of pointers. Tests showed, that even though switching to 64 bits brought some really minor improvements, it also brought much more memory usage to their servers, effectively worsening their performance. They've stayed with x86. They conducted tests some 2 or 3 years ago, I wonder what would be the result today?
did anyone check the source code for that diagnose command?
static void put_your_hands_up_hooker(int argc, char *argv[])
WTF?
What exactly is the point of supplying a checksum by the same route/download method as the file in question? Surely if the file can be modified, so can the checksum. Maybe it would be useful if people got the checksum and verified it was the same checksum everyone else saw, then verified the file with it, but that just doesn't happen.